As others have pointed out, cryptographic authentication is very hard to bootstrap if you simply loose your device.
Just last month my missus cracked the glass of her iPhone. Apple repaired it under AppleCare, which is great… except… that they didn’t tell her that the “glass repair” entails them replacing the guts of the phone and wiping it in the process.
Apple iPhone backups don’t contain cryptographic secrets like eSIMs!
She got stuck in a loop where she couldn’t activate her eSIM because that needed her email, but her email needed MS Authenticator, which she couldn’t activate without an SMS.
She had to drive to the Telco with a pile of photo ID to reissue her eSIM. Her bank account got locked in the process despite the password being correct because of some sort of phone hardware lock.
This took days to fix and multiple in-person visits to various organisations. If this had happened while overseas on holiday, she would have been screwed.
Times have changed.
Your entire digital identity is now a smart card in your phones
That Smart Card is either a SIM card or an onboard TPM chip, but in any event if you lose it, you may as well be dead as far as anyone else is concerned.
Passkeys make this much worse. At least if you still have a physical SIM you can transfer it from any phone to any other phone.
Passkeys are not cross-vendor transferable!
Run away screaming. Don’t believe the hype. Wait until the vendors get their act together and come up with a solution for transfer and recovery.
> Run away screaming. Don’t believe the hype. Wait until the vendors get their act together and come up with a solution for transfer and recovery.
Very much this. Having authentication tied to hardware you don't control is a near-certain denial of service in the future.
People love to hate on passwords but the reality is that for many circumstances (threat models) they are the best compromise. You can make them more than strong enough (take 32+ bytes out of /dev/random and encode however you like, nobody will ever brute force that in this universe) and various passwords managers solve the problem of re-use (never reuse a password).
And it comes with the benefit that you control how it is stored and can apply as much redundancy as you want to feel comfortable.
> Run away screaming. Don’t believe the hype. Wait until the vendors get their act together and come up with a solution for transfer and recovery.
I believe all of the issues you've described, but you can usually add multiple passkeys to each service. There is nothing stopping you from adding your iPhone and a cheap android phone and having redundancy, or using 1Password and storing your passkey in there.
iPhone backups do store backups of the media stored in iCloud Keychain, if you have another apple device or if you have the recovery key, you can get back in. You just need the device passcode or recovery key and you can re-bootstrap everything. eSIMs are unique because they're carrier things and those things have and always will be a pain and tied to stores and phone calls.
Add to that many web sites now make it a point of pride that they employ no humans in support and will not do anything to help you get back into your account if you are locked out (Google, Meta etc).
As with everything, you probably want a backup. Get more than one passkey.
I pretty much use 3; Yubikey in my workstation, portable Yubikey, phone. All 3 of those can bootstrap Google, which I use for email, and Apple, which I use for my phone. Then, everything else is in 1password, which are available through those mediums. Worst case, I am pretty sure in the most dire of dire emergencies, I can get my email back no matter what. Verify ID with my DNS provider, switch MX records, back in business. Even then, it's not necessarily essential to daily life. (A colossal inconvenient to lose access? For sure. Death sentence? Probably not.) All my SMS and Signal contacts are elsewhere. I can spend money out of my bank account by writing a check. I can get into work stuff by showing up in person at an office.
I do think that passkeys are probably too complicated for the ordinary user of computers; unfortunately that "we'll just email you a link every single time you want to sign in" seems like the most user-friendly passwordless authentication.
I also don't feel great about my habit of putting passkeys in 1password, because I know I'm locked in forever. But, I like the service, and when I want to switch, welp, at least there's a list of accounts I have to remake.
My biggest fear is something like forgetting my phone's passcode. One time I woke up, got distracted at just the wrong moment, and could not for the life of me remember my 6 digit passcode. (I also use the same code to unlock my workstation.) I had to distract myself and then use muscle memory to remember it. It was really crazy, truly one of those "did I just have a stroke" moments. I have that saved in 1password now, so if I have one unlocked device, I can refresh my memory. This happened a while ago and I don't think I have dementia. Just a weird quirk.
(Meanwhile, I can perfectly remember every 1-year-max-lifetime password I've ever had at any job. A lot of that good does when you can't remember a 6 digit number!)
To save people from reading the article before running away screaming:
> But while they’re a big step forward, we know that new technologies take time to catch on — so passwords may be around for a little while. That's why people will still be given the option to use a password to sign in and may opt-out of passkeys by turning off “Skip password when possible.”
So, soon passwords will be added to “Killed by Google,” along with my account. (I keep zero devices logged in.)
It’s well past time to migrate off my few remaining use cases. I wonder if my employer will be able to reset my corporate account passkeys when the inevitable happens.
Passkeys are one of the non-phishable means for authentication. If something is easy to recover for user then its same for a malicious actor. Some platform based passkeys (apple, google) are actually sync-able across the devices. The whole Passkeys concept is under debate and discussion for what it means for different types of WebAuthn authenticators when it comes to the ability to sync the credentials. Alternatively one can use security keys which they can keep with themselves and could protect themselves by enrolling one additional security key for recovery purposes that they can keep away. Regardless the whole idea is to have more than one MFA factors enrolled so that one is not get locked out. Ease of using WebAuthn/ Passkeys overweighs typing in password, SMS, TOTP codes and has big savings for big players to avoid phishing attacks. It might not be suitable for every use case but worth using for some.
Unless you store the passkey in a hardware Fido key like a Yubikey. Then the way to transfer it is to physically carry the key and plug it to another device.
Honestly, if they'd just give me the option to write it down (or take a picture or whatever) and manually restore it by typing it in if I need to, that would just about solve the issue
Your wife's experience sounds very bad and the risk of getting locked out of your various accounts is serious.
That doesn't mean giving up on having good security, though. Passkeys don't work like eSims and other users' situations might not be the same. Their failure modes will be different. They might have more than one device (like a phone and a tablet), or they might not use MS Authenticator for their email, or they might have set up different recovery methods?
We need more backups and user education, which ideally would include rehearsing account recovery before it's actually necessary.
TBH I don't trust google on security one bit after one of my namesakes attached her phone to my google account a few months ago without any warning or prompting by google to me.
Not being able to regain access in exceptional cases is one of the big reasons why I am very weary about being forced to activate 2FA and other auth. It is so nice in theory... But the reality is that many users only use their phone to do almost everything digital in their life. My gf works for an assitive technology reseller. Since 2FA has been forced down the throats of unsuspecting users, she had to support several of their customers in regaining access to their Apple ID, noticing a few glitches in the supposed apple support path while at it. Phone hardware changes every few years. email addresses can change. And phone numbers can change. Combine all of them, and 2FA is suddenly no longer such a good idea... For reasonably sized companies, 2FA might be a good solution, because in case of you loosing access in some way, there is likely a support path that gets you back on track in reasonable amount of time, given that IRL auth is relatively simple. But for services where you are just a number, like every big provider, I believe a reasonably strong "master" password is still comforting to have.
The solution to your problem is simply more passkeys.
I am not being sarcastic - which ever service your authenticating to make sure you have passkeys from at least 2 different devices so you do not lock yourself out.
If you don't fit into this multi device assumption, passkeys are not going to work well for you. There will not be a standard for transfer / recovery.
Completely agree. Currently I can perform a full bootstrap using information stored in my brain (with my partner's brain as backup). Any new "solution to passwords" that doesn't allow that means an instant NO from me. I don't care how much more theoretically secure it is.
It would be awesome to have an "emergency" server where I could type in the URL, decrypt it with my passphrase and OTP, and get access to everything I need temporarily so I can re-bootstrap all my stuff. Of course, this doesn't solve the problem of SMS 2fa being used for everything, but it's a good first step.
I am in favor of crossplatform solutions like YubiKey. Apple and Google passkeys are lame.
Passkeys follow the 3-2-1 backup rule, just like any other digital data. The main difference being that you don't need to backup the passkey itself, just have multiple passkeys.
Have 3 passkeys
2 of them on-person at any time (e.g. one on your phone TPM, one on a Yubikey)
1 of them off-site (e.g. keep a backup Yubikey at home in a fireproof safe, or use a 1Password passkey, depending on your threat model)
Whenever you sign up for a new vendor/service, register all three passkeys with your account.
I moved quite a bit of logins to Passkey and I chose to stay with the Apple ecosystem as my Passkey Lord/God. So far, it has worked and I have moved between devices (desktops, mobile, and the in-betweener).
Assuming I’m going to stay for quite a while with the Apple Ecosystem, am I doing it wrong by making my Passkeys pass through my Apple ID?
For instance, I change my eSim or number or replace phone, won't accept next time I login and then verify from the laptop, desktop, iPad, watch, or, heck, the Apple Polishing Cloth? (Assuming the cloth will become a smart cloth eventually).
They are when using a third party password manager like 1password or dashlane. At least in they are device agnostic. Haven‘t yet tried to export a passkey to another manager.
Why do you believe that introducing support for passkeys inherently makes the situation worse? If you don't trust them, you're not forced to use them; traditional methods still exist.
In any case, you should have multiple methods. It could be passkeys on multiple devices. It could be TOTP, plus recovery codes in a safe. Passkeys are just one more method.
For the longest time, the gold standard for authenticating people has been tamperproof hardware with keys that cannot be copied. Except iPhones actually have credible biometrics on top of that. Much better than Yubikeys, for example. Of course you always need to have at least one backup device or other method in case your primary device is lost. Now that this is finally making it's way to the “normal people”, it's suddenly a “run away screaming” scenario? Come on.
EDIT: I assumed passkeys refer exclusively to hardware passkeys, mb.
My answer below means separate HARDWARE "security keys", not ones tied to a smartphone, Google or Microsoft account...
The problem here is that you are assuming one passkey. Just like you don't get just one key for your door its risky to get only one passkey, if you are planning to use it exclusively.
Passkeys are like normal keys but for your digital life. They have many benefits over normal keys like being impossible to copy/pick while still being easy to replace (as long as you have one that works) and if used properly (with a short pin-code) someone who finds or steal your key cant log in to your virtual doors anyway. They compare even better to passwords.
Just get one for your keychain and one to put at your stationary computer at home. The only thing to remember is to add both to your account(s), which still is faster than fiddling with your password manager and/or second factors.
Passkeys are really amazing, the only thing(s) remaining is to stop confusing people with terminology, explain that you should have a pair and for services to start properly using the keys as a combined first+second factor with a pin (which you can have safely the same on all your passkeys, in contrast to passwords).
What do you mean not cross-vendor transferable? You can use any brand key that properly implements the protocol (fido2/webaunth), and replace them with any brand key. If you mean copy them, well yea that's kinda the point..
There are plenty of ways for recovery on reasonable services, sometimes they ask to set up way to many (and with multiple passkeys, recovery is only relevant if you loose ALL of your keys).
Just want to point out that if your missus had a pair of passkeys there would not have been any issue!
That's the reason i have 2 devices with my accounts and auth app. One is for daily use and another one is a backup phone in case something happens to the first one
While I believe this is a step in the right direction. I have read too many horror stories of people who were locked out of their Google and iCloud accounts with no real possibility of getting back in.
I don’t think I am alone in thinking I am on borrowed time. Someday, probably due to my own fault I will be locked out of Google and my digital life will be over.
If a private company can offer a similar login method like login.gov and let me talk to a real person when I am locked out like the USPS, I will be screaming shut up and take my money.
1Password enabled PassKey support recently and I was "surprised" to learn that there is no way of exporting them out of 1Password. They're not included in the 1PUX format export, nor in the CSV.
That means that they're literally impossible to back up. If 1Password goes down, or the company stops operating, or anything else like that, your Passkeys are just... gone. Absolutely no way to recover them.
On average, this might increase security (the vast majority of users are terrible at using passwords).
For proficient users who use passwords securely, this is an acute drop in security (if forced to use).
Forced phone number 2FA has the same effect; in Big G's case forcing phone number 2FA is anti-anonymity disguised as security. In this case, it's a bid for biometrics.
I'm surprised that they're moving forward with this already. As of last week, there were still enough rough edges on their implementation that I disabled it for my Workspace tenants. The two most irritating:
1. Advanced protection doesn't yet support passkeys. You must keep U2F in place for now.
2. If you have a U2F key configured on your account, Google will prompt you to use it as a passkey before telling you that it's not a passkey and you must login with your password. The net result is that anyone using phishing resistant MFA loses the ability to have their MFA step "remembered" on a device because Google will always prompt for the U2F factor before the password.
This aside, I've been doing a lot of testing with FIDO2 flows using security keys and passkeys across device types and platforms in preparation to roll out passwordless via Okta with a couple of smaller clients. Overall, I love the authentication flow, but there are a lot of gotchas to keep in mind. We've spent a considerable amount of time mapping out the happy path, creating onboarding resources, and documenting business continuity scenarios. The personal use case is actually more of a challenge in some ways, because you need to think about each service rather than just one IdP.
FYI, the easy path right now if you need to support multiple environments is to invest in 1Password or another password manager that supports passkeys. This provides the most consistent user experience and works across most platforms, though we're still having trouble with Android 14.
We're sticking to hardware keys for highly privileged accounts, so admins get a pair of FIDO2 keys. Everyone else gets one Yubikey, which serves as a backup if they lose access to their devices or need to login on an untrusted device. Android is also a problem here. Even in 14, it doesn't seem to support passwordless FIDO2 flows.
This is an interesting direction. It's worth noting that biometrics, like fingerprints or facial recognition, aren't really 'secrets'. They can be observed or leveraged without a users knowledge or consent, and in many ways function more like a username than a password.
Most accounts with passwords have the fail-safe method of 'prove my identity to company, they reset'. I.e if you can't remember your bank password, there are paths for the bank to reset for you.
Anything that Google controls you have absolutely no way to get in contact to resolve issues. This is already a problem with all of their products. Locking all of your access behind a Google controlled door is just setting yourself up for a future nightmare.
One question I don't often see asked in regards to passkeys: what is the legal standing in regards to law enforcement access to 'passkeys' vs passwords?
For example, it is completely valid to say I genuinely do not know my 1000 long multiple special character password; it could be on a piece of paper, in a file encrypted with multiple layers. Essentially, there is no foolproof way to ever prove whether I know a given password, or not, especially if the password is only ever in my head (assuming the plaintext version is never logged, all you would ever have as 'proof' is a hash to compare it to).
Passkeys make it so that, I imagine, there is an element of 'proof' at all times; your face, fingerprints (which in some countries you are required by law to provide), I can't disprove I "own" my fingers so that element is always there, and you can be compelled to provide your fingerprints at any time for any reason - with a password, it is impossible to know whether I know a password.
In that sense, a password is far, far, far stronger than any other method of authentication.
Take a scenario: Mr Police wants access to your phone, it's protected only by your fingerprint, pretty easy to gain access. Now do the same but with a password that's sufficiently complex, written on a now shredded piece of paper, and there is genuine plausible deniability.
I imagine in a lot of cases this is extremely important and passkeys will be shunned altogether.
>To use passkeys, you just use a fingerprint, face scan or pin to unlock your device, and they are 40% faster than passwords
>We’ve found that one of the most immediate benefits of passkeys is that they spare people the headache of remembering all those numbers and special characters in passwords.
So they aren't considering at all how easy is the autofill password feature with a password manager (that they even have built in Chrome/Android).
Ugh, is this why my FIDO key started making me enter a redundant pin on the company login page (so: enter password, press FIDO key, enter PIN, press FIDO key)?
In my case i was already on passkeys and google decided to just... forget them all on my other computers. I can't use them to get in anymore. Why? Who the heck knows.
This whole passkey shit is going to be a nightmare for UX.
So what happens when I die and my spouse or next of kin has to deal with this stuff? As the executor of my father's estate, he kept a physical password book that was instrumental in making it easy for me to settle his affairs.
There are a lot of interesting points being made in the conversation here.
What I haven't seen yet is a reminder that a Google Account is effectively Google's private property that they're letting you access in exchange for vacuuming up your personal data.
Always remember that passwords are protected by Fifth Amendment and similiar laws in other countries, but there is no law prohibiting officer to put your phone in front of your face to unlock it.
They've been accidentally enabling it for nearly a month if not more. And the UX has been infinitely confusing. I've been using 2fa for a decade (not an exaggeration, an understatement). I've been using u2f since the first month it was available and FUCK Google for this blog post.
A month ago I logged in and tried to check on my security tokens. Their UI was silently upconverting them. Without telling me. And the flow made it look like it was just deleting them. Hours later I realize it had re-enrolled them AND IT LOST THE DESCRIPTION I GAVE TO THEM. To be clear, it trashedt the decription I gave them during (what I didn't know at the time) was re-enrolling them as passkeys, because i sure as hell wansnt in the passkeys area. So not only did I inadvertently change them, they're now indistinguishable and unidentifiable to me. So if I want to ensure my primary and backup tokens are enrolled properly , I have to do it all over again, with all of them in my possession
Seriously, I have defended google against all sort of claims with respect to their 2FA and they can absolutely get up their own after what they pulled, and now this blog post.
Do some god damn basic (user) testing FFS. I would literally pay $1000usd right this second to scream at the people who green-lit and implemented this. And another $1000usd to ensure to people here that I know DAMN WELL what I'm talking about here. It's not like I don't have video evidence of exactly what I'm stating here on an unlisted YT video tweeted at Google Security.
Edit2: to be VERY clear, I have a video I reviewed, just now, that shows me trying to enroll an existing Security Token with a description, it disappearing, it then appearing as a Passkey with no description.
Correct me if I'm wrong but isn't it fair to say that passkeys secured on your phone are more secure than 1FA (password) but less secure than "traditional" 2FA?
Passkey 2FA: unlock your phone and the passkey on your phone can log you in.
Traditional 2FA: remember a password AND unlock your phone (where your TOTP is stored) and you can login
If I were to rate all 3 methods on a scale of 1 to 10, for convenience and security, I'd say:
The trend from Google continues to be towards "if you lose your phone with your credentials, you will be unable to log in". And Google refuses to create a scalable system that allows you access to your account by verifying your identity in person.
This is a recipe for disaster. And, possibly, a warning to move off GMail before it gets worse.
[+] [-] jiggawatts|2 years ago|reply
Just last month my missus cracked the glass of her iPhone. Apple repaired it under AppleCare, which is great… except… that they didn’t tell her that the “glass repair” entails them replacing the guts of the phone and wiping it in the process.
Apple iPhone backups don’t contain cryptographic secrets like eSIMs!
She got stuck in a loop where she couldn’t activate her eSIM because that needed her email, but her email needed MS Authenticator, which she couldn’t activate without an SMS.
She had to drive to the Telco with a pile of photo ID to reissue her eSIM. Her bank account got locked in the process despite the password being correct because of some sort of phone hardware lock.
This took days to fix and multiple in-person visits to various organisations. If this had happened while overseas on holiday, she would have been screwed.
Times have changed.
Your entire digital identity is now a smart card in your phones
That Smart Card is either a SIM card or an onboard TPM chip, but in any event if you lose it, you may as well be dead as far as anyone else is concerned.
Passkeys make this much worse. At least if you still have a physical SIM you can transfer it from any phone to any other phone.
Passkeys are not cross-vendor transferable!
Run away screaming. Don’t believe the hype. Wait until the vendors get their act together and come up with a solution for transfer and recovery.
[+] [-] jjav|2 years ago|reply
Very much this. Having authentication tied to hardware you don't control is a near-certain denial of service in the future.
People love to hate on passwords but the reality is that for many circumstances (threat models) they are the best compromise. You can make them more than strong enough (take 32+ bytes out of /dev/random and encode however you like, nobody will ever brute force that in this universe) and various passwords managers solve the problem of re-use (never reuse a password).
And it comes with the benefit that you control how it is stored and can apply as much redundancy as you want to feel comfortable.
[+] [-] Shank|2 years ago|reply
I believe all of the issues you've described, but you can usually add multiple passkeys to each service. There is nothing stopping you from adding your iPhone and a cheap android phone and having redundancy, or using 1Password and storing your passkey in there.
iPhone backups do store backups of the media stored in iCloud Keychain, if you have another apple device or if you have the recovery key, you can get back in. You just need the device passcode or recovery key and you can re-bootstrap everything. eSIMs are unique because they're carrier things and those things have and always will be a pain and tied to stores and phone calls.
[+] [-] qingcharles|2 years ago|reply
[+] [-] jrockway|2 years ago|reply
I pretty much use 3; Yubikey in my workstation, portable Yubikey, phone. All 3 of those can bootstrap Google, which I use for email, and Apple, which I use for my phone. Then, everything else is in 1password, which are available through those mediums. Worst case, I am pretty sure in the most dire of dire emergencies, I can get my email back no matter what. Verify ID with my DNS provider, switch MX records, back in business. Even then, it's not necessarily essential to daily life. (A colossal inconvenient to lose access? For sure. Death sentence? Probably not.) All my SMS and Signal contacts are elsewhere. I can spend money out of my bank account by writing a check. I can get into work stuff by showing up in person at an office.
I do think that passkeys are probably too complicated for the ordinary user of computers; unfortunately that "we'll just email you a link every single time you want to sign in" seems like the most user-friendly passwordless authentication.
I also don't feel great about my habit of putting passkeys in 1password, because I know I'm locked in forever. But, I like the service, and when I want to switch, welp, at least there's a list of accounts I have to remake.
My biggest fear is something like forgetting my phone's passcode. One time I woke up, got distracted at just the wrong moment, and could not for the life of me remember my 6 digit passcode. (I also use the same code to unlock my workstation.) I had to distract myself and then use muscle memory to remember it. It was really crazy, truly one of those "did I just have a stroke" moments. I have that saved in 1password now, so if I have one unlocked device, I can refresh my memory. This happened a while ago and I don't think I have dementia. Just a weird quirk.
(Meanwhile, I can perfectly remember every 1-year-max-lifetime password I've ever had at any job. A lot of that good does when you can't remember a 6 digit number!)
[+] [-] hedora|2 years ago|reply
> But while they’re a big step forward, we know that new technologies take time to catch on — so passwords may be around for a little while. That's why people will still be given the option to use a password to sign in and may opt-out of passkeys by turning off “Skip password when possible.”
So, soon passwords will be added to “Killed by Google,” along with my account. (I keep zero devices logged in.)
It’s well past time to migrate off my few remaining use cases. I wonder if my employer will be able to reset my corporate account passkeys when the inevitable happens.
[+] [-] cpuguy83|2 years ago|reply
Adding a passkey to an account is like adding a yubikey to an account (experience wise). You can (typically) add multiple keys to your account.
It's also not all or nothing. You can (in every service I've setup) still have a password and an even a TOTP.
[+] [-] sandeep_random|2 years ago|reply
[+] [-] two_handfuls|2 years ago|reply
Unless you store the passkey in a hardware Fido key like a Yubikey. Then the way to transfer it is to physically carry the key and plug it to another device.
[+] [-] brundolf|2 years ago|reply
[+] [-] skybrian|2 years ago|reply
That doesn't mean giving up on having good security, though. Passkeys don't work like eSims and other users' situations might not be the same. Their failure modes will be different. They might have more than one device (like a phone and a tablet), or they might not use MS Authenticator for their email, or they might have set up different recovery methods?
We need more backups and user education, which ideally would include rehearsing account recovery before it's actually necessary.
[+] [-] NikkiA|2 years ago|reply
[+] [-] lynx23|2 years ago|reply
[+] [-] bhawks|2 years ago|reply
I am not being sarcastic - which ever service your authenticating to make sure you have passkeys from at least 2 different devices so you do not lock yourself out.
If you don't fit into this multi device assumption, passkeys are not going to work well for you. There will not be a standard for transfer / recovery.
[+] [-] negative_zero|2 years ago|reply
[+] [-] RockRobotRock|2 years ago|reply
It would be awesome to have an "emergency" server where I could type in the URL, decrypt it with my passphrase and OTP, and get access to everything I need temporarily so I can re-bootstrap all my stuff. Of course, this doesn't solve the problem of SMS 2fa being used for everything, but it's a good first step.
I am in favor of crossplatform solutions like YubiKey. Apple and Google passkeys are lame.
[+] [-] solatic|2 years ago|reply
[+] [-] Brajeshwar|2 years ago|reply
I moved quite a bit of logins to Passkey and I chose to stay with the Apple ecosystem as my Passkey Lord/God. So far, it has worked and I have moved between devices (desktops, mobile, and the in-betweener).
Assuming I’m going to stay for quite a while with the Apple Ecosystem, am I doing it wrong by making my Passkeys pass through my Apple ID?
For instance, I change my eSim or number or replace phone, won't accept next time I login and then verify from the laptop, desktop, iPad, watch, or, heck, the Apple Polishing Cloth? (Assuming the cloth will become a smart cloth eventually).
[+] [-] v7p1Qbt1im|2 years ago|reply
They are when using a third party password manager like 1password or dashlane. At least in they are device agnostic. Haven‘t yet tried to export a passkey to another manager.
[+] [-] SergeAx|2 years ago|reply
[+] [-] unknown|2 years ago|reply
[deleted]
[+] [-] metafunctor|2 years ago|reply
In any case, you should have multiple methods. It could be passkeys on multiple devices. It could be TOTP, plus recovery codes in a safe. Passkeys are just one more method.
For the longest time, the gold standard for authenticating people has been tamperproof hardware with keys that cannot be copied. Except iPhones actually have credible biometrics on top of that. Much better than Yubikeys, for example. Of course you always need to have at least one backup device or other method in case your primary device is lost. Now that this is finally making it's way to the “normal people”, it's suddenly a “run away screaming” scenario? Come on.
[+] [-] redrblackr|2 years ago|reply
The problem here is that you are assuming one passkey. Just like you don't get just one key for your door its risky to get only one passkey, if you are planning to use it exclusively.
Passkeys are like normal keys but for your digital life. They have many benefits over normal keys like being impossible to copy/pick while still being easy to replace (as long as you have one that works) and if used properly (with a short pin-code) someone who finds or steal your key cant log in to your virtual doors anyway. They compare even better to passwords.
Just get one for your keychain and one to put at your stationary computer at home. The only thing to remember is to add both to your account(s), which still is faster than fiddling with your password manager and/or second factors.
Passkeys are really amazing, the only thing(s) remaining is to stop confusing people with terminology, explain that you should have a pair and for services to start properly using the keys as a combined first+second factor with a pin (which you can have safely the same on all your passkeys, in contrast to passwords).
What do you mean not cross-vendor transferable? You can use any brand key that properly implements the protocol (fido2/webaunth), and replace them with any brand key. If you mean copy them, well yea that's kinda the point..
There are plenty of ways for recovery on reasonable services, sometimes they ask to set up way to many (and with multiple passkeys, recovery is only relevant if you loose ALL of your keys).
Just want to point out that if your missus had a pair of passkeys there would not have been any issue!
[+] [-] Moldoteck|2 years ago|reply
[+] [-] unknown|2 years ago|reply
[deleted]
[+] [-] hbt|2 years ago|reply
you can do it on your own with twilio, then create a phone number and have a program forward you stuff to your real phone.
the twilio phone is hard to lose as it has an api and you can toss it when you want to start over.
except now, you need an entire phone virtualized as your proxy instead of just a twilio phone number.
they keep raising the barrier
[+] [-] briffle|2 years ago|reply
[+] [-] samcat116|2 years ago|reply
[+] [-] iampivot|2 years ago|reply
[+] [-] unknown|2 years ago|reply
[deleted]
[+] [-] rawgabbit|2 years ago|reply
I don’t think I am alone in thinking I am on borrowed time. Someday, probably due to my own fault I will be locked out of Google and my digital life will be over.
If a private company can offer a similar login method like login.gov and let me talk to a real person when I am locked out like the USPS, I will be screaming shut up and take my money.
[+] [-] leotravis10|2 years ago|reply
[+] [-] LeoPanthera|2 years ago|reply
That means that they're literally impossible to back up. If 1Password goes down, or the company stops operating, or anything else like that, your Passkeys are just... gone. Absolutely no way to recover them.
[+] [-] frabcus|2 years ago|reply
What happens if there's a house fire or something and all my devices where I'm logged in with Google break? How do I log into my account again?
[+] [-] rmellow|2 years ago|reply
On average, this might increase security (the vast majority of users are terrible at using passwords).
For proficient users who use passwords securely, this is an acute drop in security (if forced to use).
Forced phone number 2FA has the same effect; in Big G's case forcing phone number 2FA is anti-anonymity disguised as security. In this case, it's a bid for biometrics.
[+] [-] cjcampbell|2 years ago|reply
1. Advanced protection doesn't yet support passkeys. You must keep U2F in place for now. 2. If you have a U2F key configured on your account, Google will prompt you to use it as a passkey before telling you that it's not a passkey and you must login with your password. The net result is that anyone using phishing resistant MFA loses the ability to have their MFA step "remembered" on a device because Google will always prompt for the U2F factor before the password.
This aside, I've been doing a lot of testing with FIDO2 flows using security keys and passkeys across device types and platforms in preparation to roll out passwordless via Okta with a couple of smaller clients. Overall, I love the authentication flow, but there are a lot of gotchas to keep in mind. We've spent a considerable amount of time mapping out the happy path, creating onboarding resources, and documenting business continuity scenarios. The personal use case is actually more of a challenge in some ways, because you need to think about each service rather than just one IdP.
FYI, the easy path right now if you need to support multiple environments is to invest in 1Password or another password manager that supports passkeys. This provides the most consistent user experience and works across most platforms, though we're still having trouble with Android 14.
We're sticking to hardware keys for highly privileged accounts, so admins get a pair of FIDO2 keys. Everyone else gets one Yubikey, which serves as a backup if they lose access to their devices or need to login on an untrusted device. Android is also a problem here. Even in 14, it doesn't seem to support passwordless FIDO2 flows.
[+] [-] netsec_burn|2 years ago|reply
[+] [-] mission_failed|2 years ago|reply
Anything that Google controls you have absolutely no way to get in contact to resolve issues. This is already a problem with all of their products. Locking all of your access behind a Google controlled door is just setting yourself up for a future nightmare.
[+] [-] latchkey|2 years ago|reply
https://bitwarden.com/blog/bitwarden-passkey-management/
[+] [-] aboringusername|2 years ago|reply
For example, it is completely valid to say I genuinely do not know my 1000 long multiple special character password; it could be on a piece of paper, in a file encrypted with multiple layers. Essentially, there is no foolproof way to ever prove whether I know a given password, or not, especially if the password is only ever in my head (assuming the plaintext version is never logged, all you would ever have as 'proof' is a hash to compare it to).
Passkeys make it so that, I imagine, there is an element of 'proof' at all times; your face, fingerprints (which in some countries you are required by law to provide), I can't disprove I "own" my fingers so that element is always there, and you can be compelled to provide your fingerprints at any time for any reason - with a password, it is impossible to know whether I know a password.
In that sense, a password is far, far, far stronger than any other method of authentication.
Take a scenario: Mr Police wants access to your phone, it's protected only by your fingerprint, pretty easy to gain access. Now do the same but with a password that's sufficiently complex, written on a now shredded piece of paper, and there is genuine plausible deniability.
I imagine in a lot of cases this is extremely important and passkeys will be shunned altogether.
[+] [-] pentagrama|2 years ago|reply
>We’ve found that one of the most immediate benefits of passkeys is that they spare people the headache of remembering all those numbers and special characters in passwords.
So they aren't considering at all how easy is the autofill password feature with a password manager (that they even have built in Chrome/Android).
[+] [-] jjoonathan|2 years ago|reply
[+] [-] di4na|2 years ago|reply
In my case i was already on passkeys and google decided to just... forget them all on my other computers. I can't use them to get in anymore. Why? Who the heck knows.
This whole passkey shit is going to be a nightmare for UX.
[+] [-] Bluecobra|2 years ago|reply
[+] [-] jehb|2 years ago|reply
What I haven't seen yet is a reminder that a Google Account is effectively Google's private property that they're letting you access in exchange for vacuuming up your personal data.
The only winning move is not to play.
[+] [-] reisse|2 years ago|reply
[+] [-] jval43|2 years ago|reply
[+] [-] k8svet|2 years ago|reply
They've been accidentally enabling it for nearly a month if not more. And the UX has been infinitely confusing. I've been using 2fa for a decade (not an exaggeration, an understatement). I've been using u2f since the first month it was available and FUCK Google for this blog post.
A month ago I logged in and tried to check on my security tokens. Their UI was silently upconverting them. Without telling me. And the flow made it look like it was just deleting them. Hours later I realize it had re-enrolled them AND IT LOST THE DESCRIPTION I GAVE TO THEM. To be clear, it trashedt the decription I gave them during (what I didn't know at the time) was re-enrolling them as passkeys, because i sure as hell wansnt in the passkeys area. So not only did I inadvertently change them, they're now indistinguishable and unidentifiable to me. So if I want to ensure my primary and backup tokens are enrolled properly , I have to do it all over again, with all of them in my possession
Seriously, I have defended google against all sort of claims with respect to their 2FA and they can absolutely get up their own after what they pulled, and now this blog post.
Do some god damn basic (user) testing FFS. I would literally pay $1000usd right this second to scream at the people who green-lit and implemented this. And another $1000usd to ensure to people here that I know DAMN WELL what I'm talking about here. It's not like I don't have video evidence of exactly what I'm stating here on an unlisted YT video tweeted at Google Security.
Edit2: to be VERY clear, I have a video I reviewed, just now, that shows me trying to enroll an existing Security Token with a description, it disappearing, it then appearing as a Passkey with no description.
[+] [-] JaneLovesDotNet|2 years ago|reply
[+] [-] powera|2 years ago|reply
The trend from Google continues to be towards "if you lose your phone with your credentials, you will be unable to log in". And Google refuses to create a scalable system that allows you access to your account by verifying your identity in person.
This is a recipe for disaster. And, possibly, a warning to move off GMail before it gets worse.